2B-5s 



Static Analysis and Automatic Code Synthesis of flexible FSM Model 



Dohyurig Kim 
Researcher 
ISRC, Seoul National 
Univ., Seoul, Korea 
dhkim@iris.snu.ac.kr 



Abstract -To describe complex control modules, the following 
four features are requested for extended FSM models: concur- 
rency, compositionality, static analyzability, and automatic code 
synthesis capability. In our codesign environment we use a new 
FSM extension called flexible FSM model. It extends the ex- 
pression capabilities by concurrency, hierarchy, and state 
variable while it maintains formal property. Because of formal- 
ity and the structured nature of fFSM model, we can apply a 
static analysis method to find ambiguous behavior and synthe- 
size software/hardware automatically, which is the main focus 
of this paper. We expect that the proposed technique can be 
applied to Other compositional FSM extensions. 



I. Introduction 

Among diverse models of computation, finite state ma- 
chine (FSM) is the most popular model to describe the control 
module of a system. Even though FSM is simple to use, its - 
unstructuredness and stale explosion problem due to system 
concurrency and memory prohibits FSM model from practi- 
cal representation. Instead, many extensions have been pro- 
posed to overcome these problems. 

To describe complex control modules, the extensions - 
should support various kinds of concurrency. Another desired 
feature is compositionality whether the complex module can 
be represented as a composition of simpler modules. Then, 
modules can be easily reused to construct a large system. 
Moreover, because of their complexity, subtle design errors 
are difficult to find and the equivalence check of an imple- 
mentation is not easy to achieve. Therefore, it is desired to 
have a static analysis method to check ambiguous behavior. 
Finally for fast prototyping, automatic hardware (or soft- 
ware) synthesis is needed from the extended model. How.- 
ever most existent FSM models are not successful to meet all 
those requirements. 

In this paper, we present how those requirements can be 
satisfied with a proposed FSM model. In particular, static 
analysis and automatic code synthesis techniques are our 
main focus. The proposed FSM model is called flexible FSM 
model meaning that there are more than one way of ex- 
pressing concurrency. fFSM model is devised as a part of 
system-level specification to specify control activity of the 
system in our codesign environment [1]. In our codesign 
environment, computation tasks are represented by dataflow 
model while at top-level a task model specifies the system 
behavior as a composition of control and computation tasks. 
Therefore, the fFSM model provides a way of sending con- 
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trol commands and signals to computation tasks. However, 
we will not handle this issue in this paper. 

In section II, we review well-known FSM extensions and 
how they are related with the fFSM model. Section III will 
present the fFSM model in a formal way. The proposed 
static analysis technique to detect ambiguity in section IV. 
Automatic code synthesis from the fFSM model is explained 
in section V. Finally we conclude the paper at section VI. 

II. Related Works 

Statechart [2] introduces the AND composition of FSM 
subgraphs to represent the concurrency, and the OR compo- 
sition for hierarchical and structural representation. He in- 
vented the notion of internal event by which the communi- 
cation between concurrent FSMs and hierarchical FSMs 
performs. Many Statechart variants have been proposed to 
overcome the ambiguity problem of the original Statechart 
model [3] and to define the formal semantics of Statechart 
[4]. However, most of them are not compositional to keep 
the expressive power of the Statechart. But our fFSM model 
restricts some semantics of the Statechart, which makes the 
model compositional. For example, cross layer communica- 
tion between FSMs is not allowed. 

Codesign FSM [5] describes the system as the loosely 
coupled FSM networks. Unlike the basic FSM model that 
assumes synchrony hypothesis, CFSM takes into account the 
execution delay during a state transition. Even though it is a 
formal model and implementation independent [6], the net- 
work representation was admitted to be improper to mode! a 
complex control system. We borrow their formality to ex- 
press the fFSM in a formal way in the next section. 

Hierarchical FSM [7] specifies concurrency using the 
combination of heterogeneous models of computation. In- 
stead of defining the AND composition of FSMs, to express 
concurrency, HFSM uses the outer model of computation 
within which FSMs are placed. For example, two FSMs in 
the outer dataflow model have . data-driven interaction. In 
spite of theoretic interest, HFSM model seems difficult to 
understand and unclear how to synthesize from the speclfi- 

Thus, the fFSM model takes the benefits of previous ap- 
proaches: expressive power from Statechart and formal 
properties from CFSM. In addition, fFSM model has a spe- 
cial syntax to express memory in a compact form. . The next 
section defines the fFSM model in a formal way. 
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III. Definition of fFSM Model 

First, we define an event observed at a time instance as a 
tuple of an event name and a value as follows. 

Definition 1 An event is defined as (e„,e v ) where 

• e n is the name or symbol of the event, 

• e v ee y is the value of the event and e v is the set of al- 
lowed values. ' 

We also define two special values, e and <|>. The value e 
specifies an occurrence of an event without any actual value. 
The value $ is a default value of all events, which indicates 
that the event is not valid at that time instance. 

In fFSM model, we have three different types of events: 
input event, output event and internal event. We can read, a 
value from an input event, write a value to an output event 
and read (or write) a value from(or to) an internal event. 
Because an internal event has both properties of an input 
event and an output event, internal event sets can be defined 
as an intersection of input event sets and output event sets. 
Definition 2 shows the definition of event sets in fFSM 
model. 

Definition 2 Definition of event sets 

• I = {(i ni ,} y J,(i„ i ,iy i ),...} is a finite set of input event 
names and of the corresponding finite sets of allowed values. 

• O = {(o„ ,o r ),(o„ ,o v ),...} is a finite set of output event 
names and of the corresponding finite sets of allowed values. 

• IT = I f]0 is a finite set of internal event names and of 
the corresponding finite sets of allowed values. 

For example, Fig.l shows a fFSM graph that represents a 
concurrent FSM with an AND composition of two fFSM 
subgraphs. This example defines three input events but does 
not have any output event or internal event. 
I ={ (a,{e.4>}),(b, {£,*}), (c, {£,<»)} 

o ={}, it =n . 

O 




Fig. 1 . A concurrent fFSM graph 

fFSM model supports three different types of composi- 
tion: AND composition, OR composition, and a variable 
state. A variable state is introduced to represents memory in 
a compact form. It can be regarded as a separate concurrent 
FSM graph in which each state is mapped to a value that the 
variable state can have' Therefore, the number of values that 
can be assigned to the variable state should be finite. Al- 
though the variable state is defined as a state-set, it can be 
handled as a special event of which the value is preserved 
across time. Therefore, we can read (or write) a value from 
(or to) a variable state similar to an internal event. 

To define the compositions in a formal way, we define 



each constituent FSM as a state-set. There are two state-sets 
in the fFSM graph of Fig.l. A variable state is also distin- 
< guished by a separate statelet. Then, we define the set of 
state-sets that compose the fFSM model, and their initial, 
values (or initial states) as follows. 

Definition 3 Definitions of state sets and related initial val- 
ues (or states) 

• X = {(x ni ,x V} ),(x ni ,Xy 2 ),...} is a finite set of state-set 
names and of the corresponding finite sets of allowed states 
in the state-set. , 

• V a X is a finite set of variable state names and of the 
corresponding finite sets of allowed states (or values). 

• RC:{(x n ,xJ\(x„,x v )s.X,x v &x y } is a set of initial states. 
An initial state should exist for each state-set. . 

In a hierarchical fFSM graph, a special value § should be 
an element of X v to indicate an inactive state. As for the 
fFSM graph of Fig. 1 , we obtain the following. 

X ={( 5l> {A,B}),(s 2 ,{C,D})}- 

V ={} 

R = A), (s 2 ,C)} 

Next, we need to define the transition between states. A 
transition connects [two different states: one is a source state 
and the other is a destination state. It is also associated with a 
condition and actions. The condition is a Boolean expression 
composed of input events and variable states. An action as- 
signs an output event, with a function of input events and 
variable states. When the Boolean expression (the condition) , 
of the transition meets, the expression of each action is 
evaluated and the result value is assigned to an output event 
or a variable state (Fig.2). 

Definition 4 Transition set F £ f* 1 xF c x f xo x f 

' f XI , f xo <z{(x„,x v )\(x n ,x v )^X,x v ex r } are a set" 

of source states and destination states of a transition 

• f G = f(e ai ,e n| (e ni ,e v jBl\JV is a Boolean expres- 
sion composed of input events and variable states 

*rf A 'E {(. r „if g ) I ( r »>'V) s 0\J V,f" = f(e ni ;e ni ,..) c r„, 
(e n , e Y ) e / U V} is a set of actions which consist of a des- 
tination r n and a function /* - composed of input events 
and variable states 

Fig. 2. State transition definition 
For the fFSM graph of Fig. 1, the transition set becomes 

F ={({(i 1 ,A)},(«M(J 1 ,B)>,0), 
({(s,,B)},(b=8), {(J, , A)}, {} ), 1 
({(s 2 ,C)},(c=e), {{s 2 ,D)}, {} ).< 
From the definitions 2 to 4, we can define flexible FSM 
JF . An fFSM graph consists of events (input events, output 
events and internal events), state-sets (states and variable 
states), initial states, and transitions. 
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Definition 5 flexible FSM fF = (I,0,1T,X,V,F~) . 

In the concurrent composition, constituent fFSM graphs 
become active simultaneously. In the hierarchical composi- 
tion, when the parent state becomes active, all state-sets in the 
child fFSM graph become active. Transitions in the child 
fFSM graph are only performed when the parent state is 
active. Fig. 3 illustrates a hierarchical fFSM graph and its 
definition is shown below. 




Fig. 3. An hiearchical fFSM graph 
I = { (a, {8, <>}), (b, {£, if)), (C, {E, 0) } 

O ={}, IT ={} 

X ={(V{A,B}),(.S 2 ,{4>,C,D})} 

V ={} 

R ={(J 1J A)T(J 2 ^)_} " 
F, = {( {(s 1 ,A)},(a=E), {(s„B),(J a ,C)}, {} ), 
({(*,, B)}, (W). {(j„ A), (j 2 , +)};{}),■ 

({(S^B),(S 2 ,Q},(c=z), {(i 2 ,D)),{})) 

State-set S 1 has initial state <|) because its parent state, B, 
is not the initial state of the parent fFSM. When state B be- 
comes active, the constituent fFSM becomes active and has 
the initial state C. Once state B becomes inactive, it is 
changed to invalid state <J>. 

Another fFSM graph with a variable state is shown in 
Fig.4. An input event "time" is an external clock and an out- 
put signal "timeout" is the result output which indicates that 
timeout occurs. A variable state is defined to keep track of 
the remaining time. The value of the variable state can be 
read in conditions and updated by actions. 



time & remain>0 




Fig. 4. Timeout fFSM graph with a variable state 

I ={ (start, {!.. 10, +}), (time, {e, <j>}) } ' 
O ={ (timeout, { e ,4>}).} 

IT = {} 

X ={($,, {init, wait}), (remain, {0..10}') } 
V = { (remain, {0..10}) } 
R = { ( S [ , init), (remain, 0) } 

F ={{{(s ] .init)}, (start* *), {(s, .wait)}, {(remain,start)}) 
. , ({(J, ,wait)}, (time=e&&remain>0), {(s, ,wait)}, {(remain, 
remain- 1)}), ({( , waif)j N , (time=e&&remain=0),' {(J?,, 
init)}, {(timeout, £)})} 



IV. Static Analysis of fFSM Model 

While the pure FSM model can be analyzed by several 
static analysis methods to verify the correctness, extended 
FSM models with currency are not easy to analyze statically. 
One way of doing it is to flatten the model to the pure FSM 
model and apply the static analysis techniques for the FSM 
model. But it is not a feasible approach as the complexity of 
the system grows because of the state explosion problem. 

In this section, we propose a static analysis technique to 
validate the deterministic behavior of the fFSM model util- 
izing the compositional structure of the model. To make 
fFSM model fully compositional, we make the following 
restrictions. First, a variable state is referenced and updated 
by only an atomic fFSM graph. Second, no inter-transition 
. across the hierarchy is allowed. Third, communication be- 
tween concurrent fFSMs is achieved only by internal events. 

An execution (macro-step) of fFSM model is composed 
of several delta-delays (micro-steps) similarly to [4]. Ini- 
tially, the fFSM graph is triggered by input events and 
makes a transition when its condition is satisfied. If any 
transition produces internal events, transitions triggered by 
the internal events are made subsequently until there is no 
more internal event. After every delta-delay, it clears all 
existing events and sets newly produced internal events. We 
call each delta-delay period as a phase of execution. Remind 
that the variable states and the output events keep their val- 
ues to make them persistent. 

Such execution rule of fFSM model may produce non- 
deterministic behavior as following. First, multiple transi- 
tions from one stale can be enabled simultaneously but one 
transition should be chosen non-deterministically, Second, 
there can be multiple, simultaneous writers for an event dur- 
ing processing of internal events. Then, the final value be- 
comes non-deterministic. Lastly, there may exist circular 
transitions by cascaded internal transitions. 

In the proposed technique, we construct a causality graph 
to detect such non-deterministic behavior by analyzing tran- 
sitions of concurrent fFSM graphs. It shows triggering se- 
quence of transitions by internal events. In a causality graph, 
each node indicates a transition in an fFSM graph. A node is 
associated with the variable states and output events which 
are updated by the transition. If a transition invokes another 
transition, we draw a directional line between them. For 
each transition, if the transition produces an internal event, 
> we draw a solid line to each transition that will be activated 
by the internal event. If the transition can activate only one 
transition among many possible transitions, they are con- 
nected by dashed lines. 

Because a causality graph shows at which phase each 
transition is executed, multiple transitions from one state can 
be analyzed statically. Second, once we figure out the cas- 
caded transitions from a causality graph by all possible sets 
of input events, we can analyze which events (internal event, 
output event, variable state) are overwritten during the cas- 
caded transitions invoked. Finally, if there exists a circular 
transition sequence, there will be a loop in the causality 
graph. 
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The reflex game example (Fig. 5) shows how we cat 
tect non-determinism using the causality graph. Input events 
are time, coin, ready and stop, among which the last three 
input events cannot occur simultaneously. Output events are 
game_on, waitGo, waitStop, ringBell, tilt, and gameover. 
Internal events are timeset, timeout, error and exit. And, 
variable states are remain and randn. The game scenario is 
as follows: after a coin is inserted, ready signal becomes on 
after a randomly distributed latency. When the ready signal 
is one, the player should put down the stop button as quickly 
as possible. Then the output is produced to indicate the time 
duration between the ready signal and the stopping action. 

Associated with the fFSM graph of Fig. 5, we construct a 
causality graph as shown in Fig.6. Transitions triggered by 
internal events have-dark gray color. 



Since there is no loop in the causality graph there will be 
no circular transitions in the graph. "Now we analyze the 
graph by traversing the causality graph at each input event 
set. Table II shows seven sets of cascaded transitions in case 
one input event arrives. Each set consists of three rows; First 
two rows explain the transition and the current state at each 
phase. Last event values row shows the status of output 
' events and variable states. If there are multiple assignments 
to the same output event or variable state, non-deterministic 
behavior is detected in the fFSM graph. In Table II, we can- 
not find any non-deterministic transition. 

Table III shows selected three sets of cascaded transitions 
when two simultaneous input events occur. First two sets 
show the cascaded transitions when stop and time input 
events occur simultaneously, which has no problem. The 
third set, however, may cause a serious problem. It occurs 
when the fFSM graph gets input events ready and time, and 
the variable state remain is zero. The variable state remain 
has multiple assignments and the final state would be unex- 
pected state, {Stop, Wait}, instead of {GameOff, Timeinit} 
or {Go, Wait} . We can avoid the case by changing the con- 
dition of t6 to "time=l&&ready!=l&&remain==0". This 
example shows that such static analysis with the causality 
graph can detect a subtle non-deterministic error. 

Fig. 7 shows a pseudo code of the proposed static analysis 
algorithm. Since the algorithm traverses possible transitions 
for all reachable states, the complexity of the algorithm be- 
comes 0( ^ ^ q ) where n is the number of possi- 
ble initial transitions in each reachable State. Even though 
the complexity of the algorithm is not polynomial in theory, 
the actual complexity in real examples is pseudo-polynomial 
because each reachable state has usually a small number of 
possible initial transitions. 

Table 111 Cascaded lran.sil.ions for two simultaneo 



current states 



nt values lilt=t, 



Go, Wait |End, Timeinit|GameOff, Timeinit 



ie over=l, remained 



iit|GameOff, Timeinit 



til t8 

states [ Ready, Wait] Go, Timeinit | Stop,' Wait |Stop, Wait 
event values |waiiGc-=l, remain=0->randn*128-»1000, waitStop= 
push a set of the initial states to the stack 



pop a set of St 



s from th 



far (all possible sets of possible transitions) { 
performs cascaded transitions 

if (arrived set of states are not in the state list) { 
push the arrived set of states to the stack 
put the arrived set of states to the state list 

U '__ 

Fig. 7, Proposed static analysis algorithm 
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- V. Automatic Code Synthesis from fFSM model 

In this section, we explain how to synthesize the software 
or hardware exploiting the compositional structure of the 



Fig. 8. Flow chart of fFSM C code structure 

Fig.8 shows a flow chart of fFSM C code structure. We 
distinguish initial transitions and internal transitions for effi- 
cient implemetation. Because of delta-delay execution, input 
events are only valid during the initial phase. So, we check 
initial transitions first, and then if there exists any internal 
event produced, we iterate to make internal transitions until 
there is no more' internal event as shown in Fig.9 a). Con- 
current fFSM graphs are generated as separated 'switch- 
case' codes and the 'switch-case' code of hierarchical fFSM 
is generated inside the parent state as shown in Fig.9 b). 

Fig. 10 shows the structure of a top fFSM block diagram 
of HW code generation. The control FSM block separates 
processing between initial transitions and internal transitions, 
; and the main FSM block as shown in Fig. 1 1. When the con- 
trol FSM block gets a request signal, it sends an enable sig- 
nal and a process signal outside. Then, the main FSM block 
starts to process input events. After one clock, the control 
FSM deactivates the enable signal and the main FSM block 
processes internal events until there is no more internal 
event. Finally, the main FSM block finishes an execution 
and sends a done signal to the control FSM, which deacti- 
vates t he process signal. 



whiloflntemal events?) { 



FSM)< 



if (each condition)) 



Fig. 9. a) Simplified code sequence for fFSM model, b) Gener- 
ated code for each' fFSM graph 




Main FSM 

Fig. 10. A top fFSM block diagram of HW code generation 



^0 

Fig. 1 1 . Block diagram of the main FSM in HW 
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Fig. 11 shows a block diagram of the main FSM block in 
HW code generation. The block diagram consists of input 
port blocks, internal port blocks, output port blocks and 
concurrent FSM blocks. Each port block stores an event and 
sends the event according to the execution semantic of fFSM 
model. A constituent fFSM graph is generated as an FSM 
block in the figure, which . includes sequential logic to store 
states and combinational logic to process transitions. If an 
FSM graph is a child graph in hierarchy, it checks the cur- 
rent state of the parent fFSM before making a state transition. 
Combination logic is also activated only when.the next state 
of the parent fFSM is valid. 

VI. Conclusion 

In this paper we introduced a novel extension of FSM 
model, fFSM model, which is successfully used to describe 
complex control behavior in our codesign environment. And 
we proposed a static analysis technique to detect non-de- 
terministic behavior of the specification if any We also 
proposed a method to synthesize the software of hardware 
•preserving the composition structure of the fFSM model. We 
expect that the proposed techniques can be applied to other 
compositional FSM extensions. 
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